> Okay, but the package module doesn't have a disable_gpg_check setting That is an incorrect assessment. The `package` module is simply a proxy to the underlying module. From the documentation:
> This module acts as a proxy to the underlying package manager module. While all arguments will be passed to the underlying module, not all modules support the same arguments. This documentation only covers the minimum intersection of module arguments that all packaging modules support. As such, you can pass any argument that the underlying module supports, but not all modules support the same arguments, so it will be up to you to pass the correct arguments based on the target. On Thu, Nov 18, 2021 at 7:45 PM Darby Mitchell <j.darby.mitch...@gmail.com> wrote: > Okay, but the package module doesn't have a disable_gpg_check setting. > So, previously (CentOS 7), you could install an unsigned package from a > file with the package module. Now, you can't. You have to use either the > dnf module or the yum module on CentOS 8/RHEL 8 to install an unsigned > package from a file, so you can disable GPG verification. > > Here's my use case: There are several unsigned packages we need to > install. Even in 2021, not every organization signs the packages they > provide. We wrote a role a few years ago that downloads and installs an > arbitrary list of packages. When we use this role, we have previously > downloaded and inspected the packages to confirm they are genuine, and > we've cached the SHA256 sums, which we can use to verify the integrity of > the packages downloaded by the role. The list includes the URL and the > SHA256 sum of each package like so: > - package_name: some-package-1.0-1.el8.noarch.rpm > * package_url: > https://some-company.com/path/to/some-package-1.0-1.el8.noarch.rpm > <https://some-company.com/path/to/some-package-1.0-1.el8.noarch.rpm>* > package_sum: > sha256:c3dd60d3ab4f1d56bb69fe3c644c2858d723331345a52453905257720cb2a155 > > The way the role was originally written (using the package module) was > intended to work for RHEL/CentOS as well as other Linux distributions that > are not yum/dnf-based. > > Maybe the package module needs a disable_gpg_check that passes > --nogpgcheck to yum/dnf and --allow-unauthenticated to apt-get? I'm less > familiar with apt-based systems, but I think that does the same thing as > nogpgcheck on yum. > On Thursday, November 18, 2021 at 5:09:09 PM UTC-5 ma...@sivel.net wrote: > >> That is correct. The module explicitly only evaluates whether >> `disable_gpg_check` is set or not. It does not respect the system >> configuration. >> >> On Thu, Nov 18, 2021 at 3:36 PM Darby Mitchell <j.darby....@gmail.com> >> wrote: >> >>> I ran into a problem that I think is a bug, but I saw that I should >>> bring it up as a question on the mailing list first. So, my question is, >>> is it expected behavior for ansible.builtin.package, ansible.builtin.yum >>> and ansible.builtin.dnf to ignore the localpkg_gpgcheck setting in >>> /etc/dnf/dnf.conf? >>> >>> On CentOS 7, the package module and the yum module both honor the >>> localpkg_gpgcheck setting in /etc/yum.conf. If you set it to 0, you can >>> install unsigned packages from a file using the package module (which >>> doesn't have a disable_gpg_check option). >>> >>> On CentOS 8, these modules appear to ignore the localpkg_gpgcheck >>> setting in /etc/dnf/dnf.conf (which is soft linked to /etc/yum.conf). >>> >>> Attached is a minimal example of the behavior... >>> If I just dnf install the RPM, it works like a charm. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Development" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ansible-deve...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-devel/2f7007e4-9554-4255-be38-f5bd668b48cfn%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-devel/2f7007e4-9554-4255-be38-f5bd668b48cfn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Matt Martz >> @sivel >> sivel.net >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Development" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-devel+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-devel/bb37b94a-e908-4eb0-b56d-c157407fbe0an%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-devel/bb37b94a-e908-4eb0-b56d-c157407fbe0an%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/CAD8N0v-ruAfJac7fX_91r85ZtkE4R_HNyktFXwQ35CuLSDBD%3Dw%40mail.gmail.com.
